topic Static NAT for DMZ servers. in Network Security

Static NAT for DMZ servers.

Debudas123 — Mon, 11 Mar 2019 21:31:58 GMT

I have two nos. of dmz servers and also have two separate public IP for static NAT

I have configure the following.. but i can't access the internet.

asa(conf)#access-list outside_access_in extended permit ip any host 115.119.126.x1

asa(conf)#access-list outside_access_in extended permit ip any host 115.119.126.x2

asa(conf)#access-list dmz_access_in extended permit ip host 172.16.49.8 any

asa(conf)#access-list dmz_access_in extended permit ip host 172.16.49.9 any

asa(conf)#static (dmz,outside) 115.119.126.x1 172.16.49.8 netmask 255.255.255.255

asa(conf)#static (dmz,outside) 115.119.126.x2 172.16.49.9 netmask 255.255.255.255

asa(conf)#access-group outside_access_in in interface outside

asa(conf)#access-group dmz_access_in in interface dmz

asa(conf)#route outside 0.0.0.0 0.0.0.0 115.119.126.x 1

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 06:09:35 GMT

Hi Debu,

You have everything configured correct on the ASA, just chcek the Default gateway on the servers and alos try using 4.2.2.2 as the dns server on them. Try accessing the internet again. If it still does not work again, try taking capturs on the ASA to check where the packets are going.

Are you able to ping the ISP router?

Are you able to ping the dmz interface?

How to take captures:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 06:22:45 GMT

Dear Sir,

1. default-gateway of servers 172.16.49.1

2. I can ping dmz interface.

3. But I can't ping ISP.

also i have using your suggested dns 4.2.2.2 but problem is staying.

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 06:54:37 GMT

Hi Debu,

Then the best way to troubleshoot this would be taking captures on the ASA, apply captures, trying the ISP router, chcek where the packets are dropping, or if you are getting any replies from the ISP router.

This should be your action plan:

1. Take captures on ASA

2. Take logs on ASA.

3. Try packet-tracer:

packet-tracer input dmz tcp 172.116.49.8 23456 4.2.2.2 80 detailed

This output should say allow.

Thanks,

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 07:09:33 GMT

Dear Sir,

see the basic layout.......... can u tell me what is the exact configuration ?

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 07:18:44 GMT

Hi Debu,

You've got the correct configuration as far as I can see, so as asuggested earlier, take captures:

access-list cap permit host 172.16.49.8 any

access-list cap permit any host 172.16.49.8

access-list cap permit host 115.119.126.x1 any

access-list cap permit any host 115.119.126.x1

cap capo access-list cap interface outside

cap capd access-list cap interface dmz

after applying captures, ping 4.2.2.2 and the ISP router.

Do:

show cap capd

show cap capin

Check which side is not reply or dropping the packets.

Try packet-tracer as well:

packet-tracer input dmz tcp 172.116.49.8 23456 4.2.2.2 80 detailed

Are you able to ping the ISP router from the ASA??

Can you also provide the complete config from ASA, you can change the ip's if you want.

Hope this helps,

Thanks,

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 08:29:30 GMT

Dear Sir, i have also send u the conf.txt file .. one thing is that inside network can access the internet as well as dmz network. And dmz network can access the inside network, but dmz can't access internet.

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 08:36:05 GMT

Hi Debu,

I havent received any file yet?

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 08:47:45 GMT

Dear Sir,

Please see the configuration that I mention below....

ciscoasa# sh run

: Saved

ASA Version 8.2(3)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 172.16.50.1 AD

name 172.16.51.153 Anjan_MAC

name 172.16.50.5 BBerry

name 172.16.51.98 CMD-Sec-Sony

name 172.16.51.52 DevsankarIT-Manager

name 172.16.51.76 DilipBDesai

name 172.16.50.6 Exchange

name 172.16.51.46 Goutam

name 172.16.51.104 Harjinder

name 172.16.51.165 Helpdesk

name 172.16.51.74 ITR

name 172.16.50.4 IWSS

name 172.16.50.0 Inside50

name 172.16.51.0 Inside51

name 172.16.60.0 Inside60

name 172.16.50.3 MSSQL

name 172.16.51.60 Manish

name 172.16.51.23 NP1

name 172.16.51.28 NP2

name 172.16.50.2 OfficeScan

name 172.16.51.35 Rupa-DG

name 172.16.49.14 SRV1

name 172.16.49.15 SRV2

name 172.16.51.56 Sandip

name 172.16.51.145 SandipAgarwal

name 172.16.51.150 Siddhartha

name 172.16.51.191 Soumen

name 172.16.60.78 SoumenAdak

name 172.16.51.53 Sourav

name 172.16.51.115 Standby-DBD

name 115.119.126.19 StaticSRV1

name 115.119.126.20 StaticSRV2

name 172.16.51.239 VideoConferencing

interface Ethernet0/0

nameif outside

security-level 0

ip address 115.119.126.18 255.255.255.240

interface Ethernet0/1

nameif dmz

security-level 50

ip address 172.16.49.1 255.255.255.0

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif manament-only

security-level 0

ip address 192.168.1.1 255.255.255.0

ftp mode passive

object-group network NetUsers

network-object host Harjinder

network-object host Standby-DBD

network-object host SandipAgarwal

network-object host Siddhartha

network-object host Anjan_MAC

network-object host Helpdesk

network-object host Soumen

network-object host NP1

network-object host NP2

network-object host Rupa-DG

network-object host Goutam

network-object host DevsankarIT-Manager

network-object host Sourav

network-object host Sandip

network-object host Manish

network-object host ITR

network-object host DilipBDesai

network-object host CMD-Sec-Sony

network-object host SoumenAdak

object-group network Servers

network-object host AD

network-object host OfficeScan

network-object host MSSQL

network-object host IWSS

network-object host BBerry

network-object host Exchange

access-list dmz_access_in extended permit ip host SRV1 any

access-list dmz_access_in extended permit ip host SRV2 any

access-list inside_access_in extended permit ip object-group NetUsers any

access-list inside_access_in extended permit ip object-group Servers any

access-list inside_access_in extended permit ip any 172.16.49.0 255.255.255.0

access-list outside_access_in extended permit ip any host StaticSRV1

access-list outside_access_in extended permit ip any host StaticSRV2

access-list outside_access_in extended permit icmp any any

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside50 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside51 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside60 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside50 255.255.255.0 172.16.49.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside51 255.255.255.0 172.16.49.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside60 255.255.255.0 172.16.49.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

mtu manament-only 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (dmz) 0 access-list dmz_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255

static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 115.119.126.17 1

route inside Inside50 255.255.255.0 192.168.2.2 1

route inside Inside51 255.255.255.0 192.168.2.2 1

route inside Inside60 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 manament-only

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f659e5e4c1a9c17206a23e6e527a1314

: end

ciscoasa#

Thanks...

Debabrata

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 08:53:58 GMT

Hi Deb,

Try this:

nat (dmz) 1 0.0.0.0 0.0.0.0

do:

clear local-host 172.16.49.15

clear local-host 172.16.49.14

Try accessing internet again.

Thanks,

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 08:57:44 GMT

Dear Sir,

i have already try this and internet is coming but one problem is there.. i can't ping or access the dmz servers from outside ...

thanks....

Debabrata

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 09:02:58 GMT

Hi Deb,

If you do not take logs and captures you would never be able to know what is exactly happening on the ASA.

Previously you mentioned that the dmz server is not able to access the internet but now it seemed to have changed.

Debudas123 wrote:

I have two nos. of dmz servers and also have two separate public IP for static NAT
I have configure the following.. but i can't access the internet.

can you please explain what is the exact issue that you are facing:

1. accessing internet from dmz servers or

2. accessing dmz servers from the internet.

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 09:22:31 GMT

Dear SIr,

I want to access both...

1. accessing internet from DMZ.

2. accessing DMZ servers from outside

thanks..

Debabrata

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 09:46:45 GMT

any update sir........

thanks

Debabrata

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 09:48:58 GMT

Hi Deb,

I have told you already a coupple of times to take captures and logs, without it troubleshooting woudl not be possible. Plesae try it.

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 10:17:01 GMT

Ok Sir....

just confirm me that the entire configuration is right or not ?

thanks..

Debabrata

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 10:18:08 GMT

Its absolutely right, no issues with it.

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 10:24:49 GMT

Dear Sir,

one thing is that....

can I use both NAT translation in dmz ?

1. nat (dmz) 1 0.0.0.0 0.0.0.0

2. static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255

static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

thanks

Debabrata Das

Static NAT for DMZ servers.

varrao — Thu, 29 Sep 2011 10:29:21 GMT

Yes you can use it:

The SRV1 and SRV2 would take the public ip's StaticSRV1 and StaticSRV2 respectively to go to the internet but vapart from these two host all the other hosts in the dmz woudl take th outside interface public ip to go to the internet.

Hope that helps,

Thanks,

Varun

Static NAT for DMZ servers.

Debudas123 — Thu, 29 Sep 2011 10:43:42 GMT

Yes.. t thing u r right...

** when I have using this > nat(dmz) 1 0.0.0.0 0.0.0.0 internet is running for all users in dmz zone. But i cant access or

ping the dmz servers from outside( also it is not possible without static nat)

**when I have using this > static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255

static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

internet is not coming also i cant access the servers from outside..

**when i have using both NAT policy internet is coming (including servers), but i can't access the servers from outside.

for your information >>> the customer is now using Fortinet 110C (i have also configured this) and everything is working fine...